Richard Bejtlich's blog on digital security, strategic thought, and military history.

Wednesday, April 27, 2005

Payment Card Industry Security Guidelines

I heard about this back in December, but it slipped off my radar. Now news outlets like The Register and News.com are reporting on the Payment Card Industry (PCI) Data Security Standard. Prior to standardization on the PCI, vendors had to juggle the Visa Cardholder Information Security Program (CISP), the MasterCard Site Data Protection Program, the American Express Data Security Operating Policy (DSOP), and the Discover Information Security and Compliance (DISC) document.

The PCI was publicized back in December when Visa released a memo (available in .pdf form here) letting vendors know what was happening.

The PCI standard consists of twelve requirements:

Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords and other security parameters

Merchant e-Solutions summarizes PCI, with a note than level 2 (150,000 to 6,000,000 transactions per year) and 3 (20,000 to 150,000 transactions per year) merchants require validation by a "Qualified Independent Scan Vendor" no later than June 30, 2005. Some documents also mention a "Qualified Independent Security Assessor." I've emailed Visa to find out how a vendor becomes "qualified," although one of my friends is already taking his security company through the process.

I think helping merchants meet these standards will usher a new wave of assessment business for security vendors. On a smaller scale, requirements to "Regularly Monitor and Test Networks" include intrusion detection and traffic audit components, so I look forward to participating in this process myself.

I noticed Foundstone offers a series of Webcasts on PCI and other standards. Regarding other standards, Application Security Inc. helpfully summarizes several of them in one place.

Update: I just got this email from Visa:

Thank you for your interest in the Visa CISP program. Visa is unable to qualify additional security assessors at this time. We are, however, currently considering opening the qualification program again to accept new security assessors. We will keep your information on file and respond if the program opens again. We will also make this information available on the website, so be sure to check back periodically.

Your company may certainly assist companies in meeting and maintaining compliance with the CISP requirements. Unfortunately, Visa is unable to review compliance solutions at this time.

MasterCard owns the scan vendor qualification program. You will need to contact MasterCard to apply for the program. https://sdp.mastercardintl.com/

Regards,The CISP Teamhttp://www.visa.com/cisp

Update 2: Here is Visa's list of Qualified Independent Security Assessors in .pdf format. Here is Mastercard's list of Qualified Independent Scan Vendors. Mastercard explains their vendor certification process on that page, but they have not yet responded to the email I sent yesterday. Mastercard does provide a Web-based form to let candidate vendors begin the certification process.

Update 3: I got an email from Mastercard pointing me to the resources I outlined earlier. The sender said Mastercard charges $5,000 to become a Qualified Independent Scan Vendor. How can they possibly justify this cost? Unlike Visa, however, Mastercard is currently accepting new applicants to become Qualified Independent Scan Vendors.